From ceb34d6c7e31d5b43a98bea07f145fe88ba2ba93 Mon Sep 17 00:00:00 2001
From: LPF <lpf929@126.com>
Date: Tue, 17 Mar 2026 18:16:52 +0800
Subject: [PATCH] Allow credentialed cross-origin API requests

---
 pkg/api/server.go      | 1 +
 pkg/api/server_test.go | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/pkg/api/server.go b/pkg/api/server.go
index 353380e..1be2b71 100644
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -245,6 +245,7 @@ func (s *Server) withCORS(next http.Handler) http.Handler {
 		} else {
 			w.Header().Set("Access-Control-Allow-Origin", "*")
 		}
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		allowMethods := strings.TrimSpace(r.Header.Get("Access-Control-Request-Method"))
 		if allowMethods == "" {
 			allowMethods = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
diff --git a/pkg/api/server_test.go b/pkg/api/server_test.go
index c8d691a..33548dc 100644
--- a/pkg/api/server_test.go
+++ b/pkg/api/server_test.go
@@ -193,6 +193,9 @@ func TestWithCORSEchoesPreflightHeaders(t *testing.T) {
 	if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "https://dash.clawgo.dev" {
 		t.Fatalf("unexpected allow origin: %q", got)
 	}
+	if got := rec.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
+		t.Fatalf("unexpected allow credentials: %q", got)
+	}
 	if got := rec.Header().Get("Access-Control-Allow-Methods"); got != "POST" {
 		t.Fatalf("unexpected allow methods: %q", got)
 	}